Followers

Sunday, April 17, 2011

Skype: responds to report of security hole

Skype Profile info left vulnerable to malicious applications

Skype on Friday issued a public response to a security issue uncovered recently that leaves some profile and message information open and vulnerable to malicious applications. Uncovered by Android Police, the vulnerability deals with the way the Skype Android application stores some personal information, making your profile information -- and your Skype contacts' profile information (among other bits of Skype data) -- easily found and scraped by any application that wants to. Skype, on its blog, has said:

It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.

These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.

To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.

That's a fairly serious hole, and it's good that it was discovered, reported and is being fixed. So have you been in any danger all this time? Possibly, but you would have had to have installed a malicious application that knew to run this exploit in the first place. Chances of that are fairly low, but not out of the question. And it's important to remember that we're talking about Skype data, not the full contacts list on your phone. That doesn't mean it's not a gaping hole that needs to be closed; but neither are we worried about the sky falling. Be careful what you download, folks. [Skype, Android Police]